Risk-based Security and the Ideal System: An Interview with Judie Ayoola

An interview with Judie Ayoola, security architect at the Kantar Group, one of the world’s largest market research and consultancy firms and Qualys customer. Paul Fisher went to meet her.

Paul Fisher: How and why did you get into information security as a career?

Judie Ayoola: I accidentally fell into security. I originally trained to be a librarian and, while I loved the job, I found myself increasingly reading the computer books while I was classifying them. I was intrigued about the workings of computers and while I was pursuing my degree in librarianship, one of the modules I did was on the digital storage of information and digital asset management, which I enjoyed. However this was nothing compared to my awakened interest in computer networking and I thought: ‘Wow this is more interesting than what I was doing’, and toyed with the idea of pursuing a Masters in IT.

Thanks to the Sybex series on computing, I started dabbling with Windows NT, built my own home lab and started experimenting – in a way I became a librarian techy! Thus it became a natural progression to start looking for IT support roles after successfully passing a number of MCP exams and this landed me a support position at the University of Westminster.

Throughout my professional life, I’ve tended to grab any opportunity that came my way and whilst working in the support role, a position came up for the role of the IT Security Officer which I applied for. It was a steep learning curve but what kept me going was my passion and the new learning opportunities that came with it. And it has been the same since; in order to protect your data and systems, it is imperative that you keep up to date with the types of attack threat vectors and controls to keep out attackers.

Paul: All of which has led to your current position at the Kantar Group, where you say you take a risk-based approach to the security of the business. What do you mean by that?

Judie: I start from the premise that it is impossible to protect all the data on the network so using a risk-based approach is the best way to protect your assets with the most cost effective measures. The risk-based approach is predicated on an understanding of your business, its processes and the type of data the organization handles and compliance obligations; in a nutshell it is establishing what is really important to the organisation and the information it needs to survive.

At the University for example, student records were central to the business of the university. These were our crown jewels and it was paramount that they were protected with different layers of controls be they procedural, technical or through user awareness. It is also important to know the value of different types of data to the business – is it worth $10,000 or $1m? The value also changes depending on circumstance or even the time of year. For example, in September student enrolment payments and systems would assume higher importance – later in the year, the intranet or CMS would be more important. Therefore it is important to engage with the business in order to identify any changes in process that would affect your ability to support their security requirements – without this approach there will be a disconnect between the implemented controls and their effectiveness. Finally you have to map threat scenarios or use threat modelling to determine what kind of attacks are you most likely to suffer, the vulnerabilities in your systems or processes and the consequences of a data breach. The most important thing to remember is that your risk assessments must always be based on what the business feels is important, not what IT thinks is important.

Paul: Sounds a very sensible and forward thinking approach, but do you think that sometimes the threats get over hyped by vendors?

Judie: Yes and no. Vendors need to provide a compelling reason to sell their products but we do need to be realistic; so called APT attacks happen because our carefully implemented security controls failed. It’s certainly true that the attacks are sophisticated and the motives for these attacks have also changed. However, how often do we measure the effectiveness of the controls against these new attacks? Are we still concentrating on securing the perimeter without addressing web borne threats or application layer attack? What about phishing attacks? How do we dissuade users from falling prey to phishing attacks such as spear phishing? We do need to maintain a sense of perspective. We need to identify the vulnerabilities in our systems, understand how they could be exploited and implement controls to minimise the exposure to these vulnerabilities. Security professionals need to keep up to date with the threats against their businesses or other businesses in the same verticals and use reports of data breaches in the media to assess the effectiveness of their controls to prevent such said breaches on their own network. I would also advocate dovetailing on such stories to sell the security message to business. Rather than purchase every new solution that addresses the latest types of attack, we need to assess what threat the solution will be addressing and how it would integrate into your existing security strategy otherwise we risk implementing silo systems which invariably introduce complexities and over engineering of the network. If I take the attack against Lockheed Martin in 2011 for example, it appears the attackers used valid credentials of one of their business partners including their RSA token to gain unauthorised access to their network, but this was detected by their monitoring system which was monitoring all user activity including 3rd parties. Would an APT system have prevented an attacker from using a trusted path to attack the network? I would say that a combination of access controls, auditing, monitoring and effective incident response program prevented the attackers from gaining access to their data. What is certain is that the attacker’s modus operandi keeps evolving and we need to monitor and measure our network’s effectiveness to withstand such attacks.

Paul: Today everyone is talking about the cloud, how is this changing business security?

Judie: Cloud enables the loose coupling of business technology. Cloud computing can benefit companies in a number of ways such as easier maintenance and upgrades, greater flexibility and mobility and continuity of business; however I believe that the only difference between the Cloud and the local data centre is just the physical location. In terms of the security responsibilities, this does not change. The reluctance of a number of companies to move to the cloud is because of the security challenges but security professionals have to engage with the business and rather than focus on the risks from the cloud, we need to keep the business informed about how these risks can be mitigated to support the secure transaction of business.

As a security architect designing your information security systems, you need to flesh the security requirements (how, where, when, what and who will need access to the information) as well the security standards and compliance and implement systems that address these requirements. These responsibilities should not be transferred to the cloud provider even if they have multiple security certifications such as ISO 27001, SSAE 16, PCI DSS etc. Therefore in terms of business security, we need to implement the same preventative, detective, deterrent, corrective and recovery controls in the cloud. I am aware that this will depend on the type of cloud delivery model implemented, be it SaaS, Paas or IaaS and businesses have more control in the case of an IaaS model; but irrespective of the cloud delivery model, the Security and Compliance teams have to ensure that the cloud provider has systems and controls to protect their data and ask the cloud service provider for their third party audit reports and certifications.

Paul: So, what is the best part of your job?

Judie: It’s the feeling of adding value to the business and that there hasn’t been a financial impact due to inadequate security measures. It is important that the systems that are implemented are appropriate and cost effective and meet the needs of the business. It’s about keeping up to date with the ever evolving threat landscape, monitoring the environment, checking on the systems and ensuring that you are providing metrics valid metrics that provide evidence that security implementation positively impacts the organization’s mission success.

When I was at the University of Westminster, the security team pressed home the message that security was everyone’s responsibility and could measure the effectiveness of our user awareness campaigns based on the number of emails or tickets that were raised with reports of phishing emails even though we had filters to detect and block phishing emails, as it showed that the users were being vigilant.

Paul: That’s a good point. How do you educate people on security awareness?

Judie: I am of the opinion that people change their behaviour if what you are trying to change resonates with them. I had an old Director who put it rather succinctly: ‘What’s in it for me?’ And that is now how I try to sell the message of security. An example is rather than tell users not to click on links in emails or malicious websites, you need to tell them why and the impact of doing that and if possible provide examples of reports of phishing victims. Thankfully the Internet is awash with such security information and we should use such security incidents in the media to drive home the message of security. We also have to provide the information in bite size and in a medium that meets the different users, such as podcast, videos, flyers or the intranet.

Paul: So what about the qualities of people working in information security, what do they need?

Judie: We need people who are not simply technical but also those who can sell information security. We need people who can go to the business and speak to them in a language they can understand irrespective of their position within the organisation and ensure that the information is relevant to the user. That is the probably the most important quality. An example is that when discussing security with the CEO, you have to focus on the financial value of preventing viruses rather than the number of viruses that were stopped by the AV software. In a nutshell, in addition to technical skills, we also need people with communication and marketing skills and the ability to apply social and behavioural science to dealing with the human factors of security defence.

Paul: So if you invent one piece of security hardware or software, what would it be?

Judie: I would want one piece of hardware that tells me what my vulnerabilities are, has the intelligence to classify data dynamically, identifies and prevents attacks targeting the network; but in the event that an incident does occur, the system should also prevent the attack from accessing any critical data and limit their activities on the network. My ideal system would also use big data analytics to boost security. Not much really….everything in one!